Password Security

I want to take a moment to write about password security. The funny thing about security is that the more secure the system gets, the less usable it becomes. If you ever tried to use SELinux (Security Enabled Linux), you probably noticed that its inconvenience factor is almost equal to its usability. Especially for lazy people like myself, there is a limit to how secure the system can be.

The key to security is the password selection. A lot of people pick something easy to remember: the name of their pet, or birthday reversed, or something easy to type, like 123456 or asdfg. However, as the computers are becoming more powerful, it is becoming easier to crack these kinds of passwords. If you have a password less than 8 letters, your password can be cracked in less than 10 minutes with a standard desktop PC. In fact, when I typed some of these passwords mentioned above into http://www.howsecureismypassword.net , it told me that they would have been cracked instantly.

So, a password will be more secure if it is longer, meaningless, and contains uppercase/lowercase letters and punctuation. However, passwords like that are impossible to remember and look like gibberish. But writing a good password like this onto a sticky note and sticking it onto the monitor defeats the purpose for obvious reasons.

If you have accounts in various websites, it becomes almost impossible to remember which password goes to which website unless it is written onto a piece of paper or into a file.

One useful method is to come up with a sentence and take the first/second/last letters of a long expression. If the sentence includes the name of the website, punctuation, and numbers, then it is definitely an improvement over the previous methods.

For example, “I log into google dot come every day and look @ my watch twice.”. The first letters of this sentence would be ‘Iligdcedal@mwt.”. When I typed this password into the website I mentioned above, it said that it would take a desktop PC 824 billion years to crack it. That is a definite improvement. And it can be used with many different websites.

Where humans fail, computer programs excel. There are number of programs to manage your passwords. I will briefly cover a program called KeePassX. It is free and it is available for Windows, MacOS, and Linux. KeePassX Download. There is also a browser based one called LastPass that might be more versatile.

I have installed KeePassX on my Fuduntu Linux desktop system, but it should work almost the same way on Windows and MacOS.

After you download/install and start the program you will see the following screen.

Set Master

All your passwords are encrypted and stored in a .kdb file. You need one master password to access all the other passwords in the database. It is kind of important to use a strong password for this purpose.

Optionally you can also use an auto generated key file. Normally you would store this file on a different media like a USB stick. This way you would need both the master password and the USB stick to access all other passwords. This sounds like a good idea, but what happens if you lose the USB stick, or somehow it becomes unusable?

This is what the main screen looks like.

Main Screen

By default there are two groups: Internet and eMail. You can create a new group by clicking on Groups. Just type the name of the group and pick an icon. Groups allow you to organize passwords into separate categories. You can have a number of password entries for each Group.

New Group

To create a new password entry into one of the Groups, click on Entries->Add New Entry. You will see a window that looks like this.

New Entry

Pick one of the Groups from the drop down menu, and pick an icon for this password entry. The rest of the fields are self explanatory. Note that you can ask the program to auto generate a password and you can set an expiration date for this entry so you are reminded to change it periodically.